I use `output: 'export'`. Is this relevant?

Less so — static exports produce an `out/` directory without the `.next/` server files. But make sure you deploy `out/`, not the repo root.

Medium severity · Vercel

Exposed Next.js build files on Vercel

Your deployed app exposes internal Next.js build files — usually `/.next/` contents, BUILD_ID, or `server/` bundles. In a correctly-configured Next.js deployment, only the `public/` directory and statically-exported routes are reachable. When the whole build output is served as-is, attackers get to read your server-side code, including authentication logic. Fix it by using the Next.js adapter on Vercel or the standalone output and not serving the whole build directory.

The fix for Vercel

Vercel

Vercel handles this automatically via the Next.js adapter. If yours is exposed, you are probably deploying as a static site when you should be using the Next.js preset, or you manually copied `.next` into `public/`.

Why it matters

Next.js server bundles often contain auth middleware, API keys baked into build time, and internal route logic. Having them public is close to a source-code leak — it is what source maps would expose, but without needing to reconstruct.

Confirm the fix worked

Scan your Vercel site to confirm this finding is gone.

AI prompt

Apply across your codebase

Paste this into Cursor, Lovable, Bolt, v0, or Claude Code.

My site has /.next/BUILD_ID and other build files reachable from the public internet. Diagnose my deployment setup — am I using `next start`, a static export, or serving the whole build directory? Fix the root cause and confirm that /.next/ returns 404 after redeploying.

FAQ

Frequently asked questions

I use `output: 'export'`. Is this relevant?: Less so — static exports produce an `out/` directory without the `.next/` server files. But make sure you deploy `out/`, not the repo root.

Related fix guides

Fix these too

Exposed source maps

Source maps in production let anyone read your original, un-minified source code. Useful in dev, dangerous in prod. Here is how to disable them.

Exposed .env file

An exposed .env file is a critical leak — it contains API keys, database URLs, and secrets. Here is why it happens in vibe-coded apps and how to lock it down.

Free tools

Spot-check this

Exposed files checker

Find .env, .git, and other sensitive files before attackers do.